So, I was at Pulse this year and was the source of a pretty constant ridicule for carrying around what felt like a fifty pound laptop bag.It was horrible, and inconvenient, and not even effective.I had hard copies of schedules that were out of date about 30 seconds after I clicked print.By the end of the conference I had calluses on my fingers and I couldn’t walk more than about ten steps without having to change hands.It was really a constant reminder that I need to go to the gym more.

Anyway, interestingly enough, most vendors in the endpoint security space have basically adopted this same approach in designing their technology.Incoming attacks get blocked by signatures, and in order to keep you “prepared,” some companies just create and update these huge signature files, shoot them across the network, fold their hands and hope they get properly installed, and then get right back to work because the files they just sent are more or less immediately out of date.I can tell you from experience that lugging around a bulky bag of incomplete, outdated information is no way to do your job.It’s also no way to keep your employees, and by extension, your company, ahead of threats.

What companies need to do is focus on what a defense-in-depth of the endpoint would really look like.It means you need a lot of things.You need to have antivirus and firewall protection.You need a patch process that actually works.You need centralized policy management that is easily enforceable.And, of course, you need all of this in real-time.Until recently, that also meant you needed a lot of aspirin.

With its acquisition of BigFix last July, IBM basically invested in the convergence of security and systems management, two pieces of the operational infrastructure that will continue to become more intertwined.You can’t just write the policy, or obtain the patch, you also need to be confident that these changes and updates are continually being enforced at every single endpoint.Try automatically applying patches to computers that aren’t turned on and you’ll pretty quickly understand why convergence is so important.

Up until this week there were four offerings that were part of the Tivoli Endpoint Manager suite of products, all of which are managed under the same roof.We have solutions for lifecycle management, security and compliance, power management and patch management.This week, we were pleased to announce Tivoli Endpoint Manager for Core Protection, a solution designed to add another layer of depth to your endpoint security posture.Tivoli Endpoint Manager for Core Protection is the result of the relationship between IBM and Trend Micro, and offers the real-time, lightweight threat protection that other endpoint security solutions can’t really compete with.

I spoke earlier about how other vendors were sending these huge signature files across their network, files that were outdated before you even figured out how to install them on your PC.Tivoli Endpoint Manager for Core Protection is different because while it does employ the use of some signature files, it also leverages the cloud to reduce the amount of information that needs to be sent across the network and also provides the real-time protection that static signature files cannot.As the cloud is updated with the latest threat information, so too are all of the endpoints that are in conversation with that cloud.

This has proven to be extremely effective. In a recent third party test, the Trend Micro technology blocked 100% of all incoming malware (the second place competitive product came in at 77%) by taking a multi-layer approach. Nearly all (97.5%) of the malware was detected and blocked in the first layer (URL reputation) and the remaining pieces of malware were blocked in the two subsequent layers of defense. Now, here's where it gets even more impressive. An hour after the original test, they again tested just the malware that got through URL reputation, but this time it did not get through even that first layer of defense. This is protective technology that is updating and hardening its defenses as new threats come in.

I don't think I really need to explain the importance of endpoint security to anyone reading this. We all have different things at stake, whether it's your back accounts, your music collection, confidential information for work or even just a photo album. What I can say is that 77% isn't good enough when it comes to protecting any of those things.

The strength of Tivoli Endpoint Manager is that it combines first-rate security with the systems management capabilities needed to ensure that protection is deployed across the entire infrastructure. When it comes to endpoint management, it's about no longer looking at technology in silos, it's about understanding why and how we can integrate different complementary offerings. Tivoli Endpoint Manager is built on that philosophy.

IBM just introduced new software and services to help build security into the design of new applications instead of adding it later as an afterthought.

New technologies like cloud computing and virtualization are making organizations more efficient and competitive. These new technologies are also adding increased complexity and risk forcing businesses to find new ways to deal with compliance, risk management and data protection.

The new security software and services announced by IBM help organizations incorporate security into the initial design of applications, avoiding costly fixes down the road. The new offerings include:

Access Management: Software that can help organizations provide users with secure access to their servers, applications and environments, across new service delivery platforms, including cloud computing;

With IBM's October 12th SmartCloud launch, perhaps you're considering cloud computing for your organization. After all, the benefits of cloud computing are well known. Cloud computing is flexible, scalable, and cost-effective, and it's a proven delivery platform for providing business or consumer IT services over the Internet. Cloud computing can help you cut costs and IT complexity, provide new services to customers, and streamline business processes. Cloud computing is gaining in popularity and may be the wave of the future. Yet, many organizations hesitate to get started due to security concerns and confusion over how to get started.

Perceived risk versus actual risk
Cloud computing may seem new, but the fact is companies have been outsourcing services and technology for years. Providers already deliver hosted technology offerings that are located off-site with client access via the Internet. This is a common scenario for services such as remote storage or hosted email and other software as a service (SaaS) solutions. And just because companies may give up some control to the provider when they move to a cloud-based environment (just as they give up some control in any outsourced arrangement), it doesn't mean they have to compromise on security. By asking the right questions and adequate preparation, companies can build a "trust and verify" relationship with the cloud provider they are working with.

Questions to ask to ensure cloud security
It's important to remember that the same factors apply to ensuring security whether it is cloud-based or within a traditional IT infrastructure. The key difference in the cloud model is that it includes external elements, and those elements will be managed by the cloud service provider. This means companies need to understand the environment beyond their own data center and consider how it impacts the organization from a security standpoint. To help ensure security and peace of mind, as well as a good working relationship with the cloud provider, the client company should always identify and prioritize cloud-specific security risks beforehand. Often, companies will find they have the same amount of control, if not more, with a cloud service.
There are specific tactics an organization can use to enhance cloud security. For identity and access management issues, companies need to control passwords, support privileged users and enable role-based access to these cloud services. With data protection, a key concern is knowing whether or not a company's hosted data is secure, especially if data from rival companies is also being stored on the provider's cloud service. Companies should also ensure the cloud provider is deploying antivirus software on all supported systems that could be exposed to attacks, and ensuring that selected programs can identify and protect against malicious software or processes. From an auditing and monitoring perspective, companies need to determine how the cloud provider is testing and monitoring the infrastructure to meet legal and regulatory requirements.

Reaping the benefits of cloud
Organizations interested in reaping the benefits of cloud can best begin by understanding the security ramifications of a cloud deployment to their business, keeping in mind they can start small by deploying cloud in low-risk workload areas like email services. This easing-in process gives organizations valuable time to become familiar with cloud on a scale that's simpler to grasp and doesn't put them at increased security risk. And as familiarity of cloud and trust in the provider grows over time, companies can expand their use of cloud computing into other areas of business. By following this gradual path, companies can start enjoying the benefits of cloud in a way that's safe and secure.

Personally, I never really got hooked on American Idol, but next month IBM is releasing a Software Development reality TV series at the 2009 Rational Software Conference that I'd love to watch! Yup, I'm a nerd. :) This stuff fascinates me. I'm looking forward to the drama, laughs and intrigue. Get an overview of the new reality TV series and view a trailer with the videos below:

Overview: IBM Rational's Walker Royce discusses the Reality TV series as he fills you in on some of what you can expect to see at RSC 2009.

Today’s business environment calls for information sharing at an unprecedented scale. Sensitive information is shared between organizations, end consumers and even business partners. The biggest challenge that organizations face in doing so, is how to ensure that sensitive information is securely shared with different parties and that the right people are accessing the data. With the adoption of cloud and Software as a service deployment models, ensuring secure access is even more critical and challenging.

Consider a scenario where a government agency needs to share information with different agencies, local governments, citizens or even with other business entities (eg. Revenue agency that needs to share information with citizens and other entities like a tax preparation service). If one of the entities is operating in a public cloud environment, its becomes critical for government to ensure that right person is accessing the right data without sacrificing privacy, security or scalability (party requesting information really is the government revenue agency or tax preparer they claim to be).

Over the past couple years, we have seen how the US government has taken steps to ensure secure sharing of data between agencies with regulations such as FISMA, which was introduced in 2002, bringing attention to the critical nature of cyber security and its impact on national security.

Identity is at the core of any information sharing transaction. Hence whenever an individual attempts to access secure online sites or web portals, their identity has to be verified to ensure they are authorized to view that data. Additionally from the end user or citizen’s perspective, they should be able to set up their identity once and then log in to multiple systems without having to log in multiple times.

Federated identity management is the solution which enables multiple applications to share user credentials based on trust. This is especially critical in supporting cloud deployments for secure information sharing across private, public and hybrid clouds. With federated SSO, users can log on to the sites of multiple businesses and organizations by using the same user id and password, hence gaining a seamless and secure entry to multiple applications.

Tivoli Federated identity manager from IBM is an access management solution that provides web and federated single sign on to end users across multiple applications resulting in improved user experience. Tivoli Federated Identity Manager enables central management of access, enhanced user productivity and facilitates trust by delivering single sign on across separately managed infrastructure domains, both within an organization and across organizations.

Recent IBM news on “Smarter Cities” is invoking fond
memories of one of my favorite courses at Rensselaer
Polytechnic Institute: Politics
of design taught by Professor
Langdon Winner. Some of my favorite discussions during this course focused
on urban theory and planning and environmentally and ethically responsible
innovations. A few of my favorite personal readings included:

While innovations and technologies always fascinate
me, personally I’m most interested in the political, socio-cultural aspects of
Palmisano’s statement below:

“All the ways in which the world
works come together in our cities. They are the proverbial melting pot -- not
only for immigrants, but for systems, blending them together to engender new
forms of commerce, of culture, of science, of life and of society. Which is why
cities -- more than states, provinces or even nations -- are likely to be the
crucible for human progress and evolution in the coming century.”

Smart cities require smart people and deliberate thinking. How will SmarterCity designs and innovations enable and constrain our attempts
to build ethical, sustainable, humane systems and relationships? What are key
philosophical and socio-cultural issues to consider in this endeavor?

We are increasingly living our lives in online spaces, and as a result, the monetary value of those spaces seems to be rising every day. Billions and billions of dollars are spent every single year on online advertising. One of the challenges is not only making sure that your money is well spent, but also that your spend won't have a negative impact on your brand. If you're wondering how that could happen, think about this: it's estimated that about 10% of all online ads wind up in places they shouldn't be.

I actually had the pleasure of having lunch with Ian Lightstone (CFO ArtsandTV) a few months back while we were originally filming this video. It was my first exposure to the project and I have to say, it's pretty fascinating what they're working on. As someone who spends all their time talking about vulnerabilities and attack types and all the other pieces of the security conversation, advertising wasn't something that came up a lot. SEO attacks are probably the closest I'd ever gotten to thinking about advertising in the context of security. So how does security intersect with advertising?

ArtsandTV is a relatively small company that needed a lot of data. Data is something that IBM has. Specifically, we have one of the largest URL filtering databases in the world (Security Content Analysis SDK). This product is something typically used to enhance existing security offerings, but it is being used a bit differently here. The Project Sunblock team wanted to improve the way advertisers spend their money.

As you can probably imagine, there are a lot of inappropriate websites on the internet, places where you wouldn't want your brand to appear. In addition to the obvious places you want to avoid, there are other places that are more subtle. Imagine you are a bank, and you advertise a lot on some popular news site. One day, that site runs a story about the financial crisis and is extremely critical of the banking system. Despite the fact that you might frequently advertise on this site, you likely do not want your brand associated with that story.

So, ArtsandTV had the algorithms and IBM had the data. The combination of the two became Project Sunblock, an ad spend optimization and brand protection tool. Project Sunblock can help to keep your brand from appearing on inappropriate pages through the use of content and image analysis combined with a real-time decision making engine. This applies to both generally inappropriate sites, as well as the instances of specific articles and stories that you don't want your brand associated with.

One last thing to remember is that 10% figure I cited at the beginning this post. Not only is this solution protecting the image of a brand, it is also a way to get a better return on your investments. That 10% can be better spent elsewhere.

As the mainframe continues to extend support for
consolidated workloads on System z, enterprises should strongly consider
utilizing the mainframe as their enterprise data and security hub. Mainframes are uniquely able to protect
information with a rich collection of encryption capabilities that includes
self-encrypting tape and disk storage for data at rest, in addition to robust
access controls, file level encryption, database encryption, and communication
encryption protocols. Now with the mainframe’s ability to support virtual
workloads, organizations can create cloud environments with protected data
available for shared innovative collaborative ventures.

Encryption is the ultimate solution for protecting sensitive
data. But many practitioners are reluctant to utilize encryption due to
concerns of performance overhead, disruption to their operations and changes
required in their applications, and encryption key management complexity. But
the biggest fear of all is losing all access to encrypted data if the
encryption key is ever lost or forgotten.

In most cases, organizations have less and less choice over
when and how to encrypt information as more and more industries and governments
enact legislation and standards that mandate the use of encryption.

Personal
financial information must be protected as regulated by SOX, GLBA, etc.

Breach
notification regulations include 45 US
states, national laws protecting
their citizens data such as in Italy, the recent rules
changes for the EU Directive on Privacy and Electronic Communications,
etc.

So a superior encryption key lifecycle management solution
is essential in order to implement the best end-to-end security which protects
enterprise mission critical data and sensitive personal information.This solution should include standards based
key management and help:

Centralize and automate encryption key management process

Work with hardware based encryption built into a
variety of IT components like self encrypting tape and disk drive

Reduce the number of encryption keys to be
managed through techniques like key wrapping of unique keys per device

Simplify encryption key management with an
intuitive user interface for configuration and management

Maintain performance by using hardware
acceleration and not slowing down data access paths

Facilitate compliance management of regulatory
standards with proof of encryption for safe harbor from disclosure requirements

Leverage open standards like the OASIS standard
Key Management Interoperability Protocol (KMIP) to give the choice of best of
breed components and facilitate vendor interoperability

Operate transparently without requiring code
modification

IBM Security Key Lifecycle Manager for z/OS allows enterprises to fully exploit the security strengths of their mainframes to act as both an enterprise data hub and an enterprise security hub for the consolidated workloads that run on the newest System z platforms.

Last Tuesday, we debuted new releases to the IBM Tivoli Access Management family with an announcement letter (210-159).

I suggested that we take the products down to the local Sears for a "family picture." We'd go for a tropical theme (to commemorate the ending of Lost) and maybe even let IBM Tivoli Unified Single Sign-On hold the teddy bear.

I was outvoted. I won't say by how much. But I was outvoted.

Instead, we did something a heck of a lot better. It's something that I retweeted last week.

As customers are driving new business initiatives, IBM can provide the secure access they need. Typical access requirements we're hearing from our customers are:

Enabling secure access to new service delivery platforms like cloud and SOA

All of this is provided in detail on the Enhanced Security website, where there is more information on these initiatives. If you like what you read, contact your IBM sales representative or business partner.

And, no. See above, I do not have wallet-sized pictures of the Tivoli Security Policy Manager...maybe next time...

While preventing security breaches is paramount, security administrators are frequently bogged down with tedious, time-consuming, complex day-to-day tasks that divert their attention from security issues.These time-consuming tasks can be reduced by improving security administration processes and automating audit documentation, allowing administrators to focus on innovative extensions to their business applications in order to maximize investments.

Join us for this webcast on July 14th to learn about the new capabilities in Security zSecure suite, Security Key Lifecycle Manager, Tivoli Federated Identity Manager, Tivoli Security Information and Event Manager, and other security products that enhance cloud security on the mainframe.

In this session, you’ll learn how Tivoli Security Management for zEnterprise can help:

·Reduce the cost of administrating security on the mainframe by reducing complexity and using fewer staff resources

A few years ago, I worked on organizing an analyst summit for IBM where we announced the (then new) IBM Security Framework.*

Cut to today and the IBM Security Framework is still at the foundation of Smarter security solutions from IBM.

The IBM Security Framework. Visibility, Control and Automation.™

when we talk to customers about how to address their business pains, the fundamentals remain the same even though the technology continues to advance in new directions.

With Cloud and Virtualization in particular, the technology is certainly changing at a pretty fast clip.

Take a look at the fourth video in our series, "Cloud Enabling Your Data Center: Security and the Cloud" where Joe Anthony, IBM Director, Security, Risk & Compliance Product Management, talks about the IBM Security Framework and how it addresses the Cloud and business pains our customers are trying ot address.

The message and the focus of security and the Cloud is still very much rooted in the IBM Security Framework.

As a reminder, the entire video series can be seen using the YouTube Playlist (Get Cloud Ready).

* To be clear, I had nothing to do with building the IBM Security Framework. I was just the project manager for the event. Like Jarvis in the Avengers. (as a side note: one thing I learned about event planning - coffee, coffee, coffee!)

Virtualization has proven its business worth as a technology, however there is still limited understanding about how to secure it. To many, the question still remains - why do virtual environments need separate security when we have already secured the physical environment i.e. physical servers and the network in a data center. To answer this, it is essential to understand that the virtual environment creates a totally new layer above the physical server, which in turn, acts like a mini data center with all the complexities of multiple virtual machines, hypervisors, virtual networks and virtual appliances. The biggest risk that comes with a virtualized environment is the lack of visibility into it. Thus even if the environment is being attacked it isn’t necessary that the administrators are aware of it. Hackers are also excited with the hope of unveiling a set of new vulnerabilities that this environment could come with.

Having realized this risk of vulnerability and possible loss of millions-worth of data, the PCI Security Standard Council has come up with compliance guidelines for virtual environments. In June 2011, PCI group released ‘PCI DSS Virtualization Guidelines’ that broadly describes aspects that need to be considered while securing a virtual cardholder data environment. The guidelines consider the new entities that pop up with virtualization, such as Hypervisors, Virtual Machines, Virtual Appliances, Virtual Switches or Routers, Virtual Applications & Desktops and provide the virtualization considerations across the 12 PCI DSS requirements.

It is clear that a new approach to security is required, with concepts like ‘secure by design’ making further sense in this multilayered environment. Also, a specialized security solution would be needed to provide visibility, control and proactive protection. The solution needs to protect all entities of the virtual environment and monitor data that is being shared between these entities.
While securing virtual environments, the physical components of the data center should not be ignored. These physical components should continue to be secured as it would have been prior to virtualization. The PCI guideline points out that to ensure total security, the entire infrastructure hierarchy needs to be secured. This means that even if only one Virtual Machine (VM) is carrying cardholder data, both the hypervisor and the physical server need to be secured. Since the VM sits on the hypervisor and the physical server, a compromise to either of them can lead to the VM getting compromised.

Also with the increasing buzz around Cloud computing and Cloud-based service offerings, there would be further security requirements and considerations that need to be implemented to create a secure Cloud based cardholder data environment. However, if Cloud is considered as the next level of virtualization, the additional security required would be on top of the current virtualization considerations.

An enterprise would one day need to move on to the virtualized environment, considering the pressure to carry out continuous optimization and increase utilization. This would also mean that the ever growing cardholder data would need to move into this environment. The current deterrents that hinder this move are the lack of understanding of the environment and its security requirements to achieve a PCI compliant datacenter. However, sooner or later, the compelling business advantage of virtualization would push a CIO to take that leap.

Welcome to the IBM Service Management blog.A variety of authors who represent different
parts of IBM will discuss a range of Service Management topics such as service
availability and performance, green IT, IT asset and financial management, IT
governance, service delivery and process, storage management, SOA management,
enterprise asset management, and service assurance for service providers.

We'll discuss industry trends and happenings, analyst
perspectives, new product and solution announcements, support and services
offerings, upcoming events, helpful resources, and heroes in the broader IBM
Service Management network. This blog provides multi-directional communication
with the public, and we encourage and look forward to your feedback, thoughts,
and questions. For extended sharing, check out our new IBM Service Management community.

I'm Tiffany Winman, the
IBM Service Management community and social media program manager, and my blog
topics tend to focus on communities, people, companies, heroes, and stories in
the broader Service Management and Tivoli "ecosystem" and the use of innovative social
technologies to facilitate online social networking and collaboration. When I'm
not blogging on group blogs such as Service Management, Tivoli, Pulse, and Web 2.0 Goes to Work,
you can join me in riveting conversation ;) on my individual blog.

Going to Pulse? Here's your chance to ensure you get the information you want and need!

IBM is hosting a one hour panel, "Tales from the Cutting Edge of Service Management," with IBM customer panelists at Pulse. Tell us which of the questions below would you like us to ask the panel the most? Are there any topics we missed?

Green

·What are you doing to have a more energy efficient data center?

·How have you determined your energy usage and what your energy management goals should be?

Virtualization / Cloud

·How are you managing the different business services and IT environments across a virtualized environment?

·How do you monitor all the different business services and IT components across a virtualized environment?

·How do you think Cloud Computing will affect your business?

Service-oriented architecture (SOA)

·How have you set up a SOA environment?

·Sixty-three percent of clients expect SOA application to impact their service management investment.

·What is your company doing to extend into that environment?

·How have you set up a SOA environment?

·Sixty-three percent of clients expect SOA application to impact their service management investment.

·What is your company doing to extend into that environment?

·How have you set up a SOA environment?

·Sixty-three percent of clients expect SOA application to impact their service management investment.

·What is your company doing to extend into that environment?

ITIL

·What benefits have you experienced in applying the ITIL framework in your organization?

Storage

·What steps are you taking to manage and store the proliferation of data?

·How do you ensure that the data your business runs on is where you need it and properly archived for accessibility and compliance?

·What steps are you taking to manage and store the proliferation of data?

·How do you ensure that the data your business runs on is where you need it and properly archived for accessibility and compliance?

Security

·How are you managing access control and security of your business critical systems?

·What are you doing to address data security?

Implementation of Service Management

·What has been your company's key challenge in implementing Service Management and how did you overcome it?

·Once I’m ready to make that leap and say, okay, let’s start down the path to Service Management, what should I plan to spend to do that?

·Do you see more value for implementing Service Management in any specific area of the business or is it consistent across the board?

·How did you develop your implementation strategy for Service Management?

·How was your implementation of Service Management particular to your industry?

·Could you talk about why a company might be inclined to start a Service Management initiative now rather than later?

Future of Service Management

·What changes do you see ahead for Service Management?If so, how?

Metrics

·What are the top key performance indicators against which you measure IT Operations success? for example: service uptime, improvement in MTTR, reduction in customer calls/incidents, SLAs with lines of business, internal SLAs, customer experience, etc

·What Service Level Management Metrics help to enable corporate governance?

Business Value of IT

·Do do you track IT costs per service?Is this information used for service planning/justification and/or chargeback of related costs to the lines of business?

·How does Service Management help your company to minimize the functional processes of technology and instead focus on how IT contributes to your core business?

·How do you ensure that your IT and business objectives are aligned?

·Do do you track IT costs per service?Is this information used for service planning/justification and/or chargeback of related costs to the lines of business?

Asset Management

·Have you seen an increase in asset up time as a result of your asset management implementation?

·What measures have you taken to ensure that your company's physical and IT assets are managed optimally, in a way that reflects business goals and strategies?

Benefits of Service Management

·How does Service management help your company achieve and maintain significant distinction in an ultra-competitive marketplace?

·How does Service Management help you to attract new customers, measure and increase the satisfaction level of customers you have?

·What benefits have you seen from using Service Management?

·How does Service management help your company achieve and maintain significant distinction in an ultra-competitive marketplace?

·How does Service Management help you to attract new customers, measure and increase the satisfaction level of customers you have?